You can return to the original look by selecting English in the language selector
above.

How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS

This topic discusses how to protect data at rest within Amazon S3 data centers by
using AWS KMS.
There are two ways to use AWS KMS with Amazon S3. You can use server-side encryption
to protect
your data with a master key or you can use an AWS KMS customer master key (CMK) with
the Amazon S3
Encryption Client to protect your data on the client side.

You can choose a customer managed CMK or the AWS managed CMK for Amazon S3 in your account. If you
choose to encrypt your data, AWS KMS and Amazon S3 perform the following actions:

Amazon S3 requests a plaintext data key and a copy of the key encrypted under the
specified CMK.

AWS KMS creates a data key, encrypts it by using the master key, and sends both
the plaintext data key and the encrypted data key to Amazon S3.

Amazon S3 encrypts the data using the data key and removes the plaintext key from
memory as soon as possible after use.

Amazon S3 stores the encrypted data key as metadata with the encrypted data.

Amazon S3 and AWS KMS perform the following actions when you request that your data
be
decrypted.

Amazon S3 sends the encrypted data key to AWS KMS.

AWS KMS decrypts the key by using the appropriate master key and sends the
plaintext key back to Amazon S3.

Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as
soon as possible.

Using the Amazon S3 Encryption Client

You can use the Amazon S3
Encryption Client in the AWS SDK in your own application to encrypt objects
and upload them to Amazon S3. This method allows you to encrypt your data locally
to ensure
its security as it passes to the Amazon S3 service. The Amazon S3 service receives
your encrypted
data; it does not play a role in encrypting or decrypting it.

The Amazon S3 Encryption Client encrypts the object by using envelope encryption.
The
client calls AWS KMS as a part of the encryption call you make when you pass your
data to
the client. AWS KMS verifies that you are authorized to use the customer master key (CMK) that you and, if so, returns a
new plaintext data key and the data key encrypted under the CMK. The Amazon S3 Encryption
Client encrypts the data by using the plaintext key and then deletes the key from
memory. The encrypted data key is sent to Amazon S3 to store alongside your encrypted
data.

Encryption Context

Each service that is integrated with AWS KMS specifies an encryption context when requesting data keys,
encrypting, and decrypting. The encryption context is additional authenticated
data (AAD) that AWS KMS uses to check for data integrity. When an encryption
context is specified for an encryption operation, Amazon S3 specifies the same encryption
the
decryption operation. Otherwise, the decryption fails. If you are using SSE-KMS or
the
Amazon S3 encryption client to perform encryption, Amazon S3 uses the bucket path
as the
encryption context. In the requestParameters field of a CloudTrail log file, the
encryption context will look similar to this.